jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.
History

Mon, 11 Nov 2024 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat acm
Redhat multicluster Engine
CPEs cpe:/a:redhat:acm:2.10::el9
cpe:/a:redhat:acm:2.9::el8
cpe:/a:redhat:multicluster_engine:2.4::el8
cpe:/a:redhat:multicluster_engine:2.5::el8
Vendors & Products Redhat acm
Redhat multicluster Engine

Thu, 31 Oct 2024 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_data_foundation:4.17::el9

Thu, 08 Aug 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat service Mesh
CPEs cpe:/a:redhat:service_mesh:2.6::el8
cpe:/a:redhat:service_mesh:2.6::el9
Vendors & Products Redhat service Mesh

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-09T00:43:06.930Z

Updated: 2024-08-02T00:48:49.416Z

Reserved: 2024-03-06T17:35:00.856Z

Link: CVE-2024-28176

cve-icon Vulnrichment

Updated: 2024-08-02T00:48:49.416Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-03-09T01:15:07.147

Modified: 2024-11-21T09:05:57.947

Link: CVE-2024-28176

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-03-09T00:00:00Z

Links: CVE-2024-28176 - Bugzilla